>Number: 798
>Category: mod_auth-any
>Synopsis: mod_auth fails password checks if passwd file contains extra
>stuff.
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: apache (Apache HTTP Project)
>State: open
>Class: change-request
>Submitter-Id: apache
>Arrival-Date: Sat Jun 28 19:40:01 1997
>Originator: [EMAIL PROTECTED]
>Organization:
apache
>Release: 1.2.0
>Environment:
SunOS test-ino 5.5.1 Generic_103640-04 sun4m sparc SUNW,SPARCstation-10
>Description:
In the function get_pw in mod_auth.c Apache attempts to grab the
password field out of the password file and return it for a given
user. This code assumes that the password file will be formated
like "username:password" and will never contain any additional
colon seperated information. The 'AuthUserFile' documentation does
not explicitly state that you can store anything besides a username
and a password in in the file, that's why this is a change-request
rather than a sw-bug. It should be noted that the O'Reilly Apache
book encourages you to store extra stuff in the password file.
>How-To-Repeat:
>Fix:
*** fixed_mod_auth.c Sat Jun 28 19:02:41 1997
--- apache_1.2.0/src/mod_auth.c Thu Apr 24 03:16:54 1997
***************
*** 128,134 ****
if(!strcmp(user,w)) {
pfclose(r->pool, f);
! return pstrdup (r->pool, getword (r->pool, &rpw, ':'));
}
}
pfclose(r->pool, f);
--- 128,134 ----
if(!strcmp(user,w)) {
pfclose(r->pool, f);
! return pstrdup (r->pool, rpw);
}
}
pfclose(r->pool, f);
%0
>Audit-Trail:
>Unformatted:
